The RPC vulnerability is a common method of analysis-vulnerability warning-the black bar safety net

2009-01-09T00:00:00
ID MYHACK58:62200921875
Type myhack58
Reporter 佚名
Modified 2009-01-09T00:00:00

Description

Author: Friddy

A. Tools ready 1. IDA Pro Advanced 5.2(a powerful static reverse tool) 2. HexRays(powerful can the assembler code is converted to high-quality C code of the IDA plug-in 3. mIDA(excellent abstract RPC Interface of the IDA plug-in

II. Find the overflow point 1. Patch comparison. (1)retention does not update the file to the folder Old (2)patch the updated files into the folder New (3)The use of“Darun Grim”and other similar patches comparison tool to compare and find Microsoft secretly modifies place

  1. Circle day type (1)FUZZ, the estimated busy a year can FUZZ to two, three is already grandparents on burn high incense. (2)static analysis by the IDA to find common easily overflow function, such as strcpy, the lstrcpy and strcat, the wcscpy and wcscat, the sprintf, and so on. To compile, you can note that rep movsd, such as ms08-0 6 6 lead to the mention of the right of the AFD. sys is the use of a rep movsd (3)pay attention to the usual use of the software when the error is overflow.

III. Shuo source 1. The following Friddy take ms08067 to give an example, the wrong please correct me and laugh. For example, by patch comparison tool analysis of the netapi32. dll found sub_5FDDA180 subroutine is Microsoft modify.

! 1 1

In the Functions tab, find sub_5FDDA180 double-click inside.

! 2

Click sub_5FDDA180,right click and select the Chart of xrefs to,find IS IS which function to call.

! 3

You can see

! 4

Is NetpwPathCanonicalize call sub_5FDDA180 this sub-function. The following look at the NetpwPathCanonicalize this function:

! 5

In IDA's exported function table can be found in the NetpwPathCanonicalize: the

! 6

The following question is found through who can go for the call NetpwPathCanonicalize. Query the Windows network services internals on a text, search PathCanonicalize keywords, you can find the following information:

################################################################

The with interface is used to manage the lanmanserver service. Interface Operation number Operation name 4b324fc8-1 6 7 0-01d3-1 2 7 8-5a47bf6ee188 v3. 0: with //Coment by Friddy 0x00 NetrCharDevEnum 0x01 NetrCharDevGetInfo 0x02 NetrCharDevControl 0x03 NetrCharDevQEnum ............ 0x1e NetprPathType 0x1f NetprPathCanonicalize//this is what we want to find the call place. 0x20 NetprPathCompare ................... 0x24 NetrShareEnumSticky

################################################################

Turns out we're looking for the interface in the WHERE. dll in the opcode for 0x1f place. 下面 还是 用 IDA 去 逆向 srvsvc.dll Here we have to use mIDA, outgoing mIDA shortcut is Ctrl+7,find the opcode for 0x1f place

! 7

Opcode for 0x1f at a function named: sub_74FFDAE2 it. Double-click this function, You can see:

! 8

OK! Call NetpwPathCanonicalize place has been found. Double-click the call NetpwPathCanonicalize, you can see:

! 9

Then double-click the jmp ds:__imp_NetpwPathCanonicalize can see:

! 1 0

If here load NETAPI32. DLL in the NetpwPathCannonicalize, the description we get it right. In the mIDA of the window, select the Opcode to 0x1f of the function, right-click and select Decompile

! 1 1 1

Can get interface is defined as:

[ uuid(4b324fc8-1 6 7 0-01d3-1 2 7 8-5a47bf6ee188), version(3.0) ]

interface mIDA_interface { / opcode: 0x1F, address: 0x74FFDAE2 / long sub_74FFDAE2 ( [in][unique][string] wchar_t * arg_1, [in][string] wchar_t * arg_2, [out][size_is(arg_4)] char * arg_3, [in][range(0,64000)] long arg_4, [in][string] wchar_t * arg_5, [in, out] long * arg_6, [in] long arg_7 ); }

################################################################

At this point, the new source have been completed.

IV. Overflow Or the next before that of obtained by comparing the overflow point, in netapi32. dll sub_5FDDA180 right click and select”Chart of the xref from”,you can see:

! 1 2

Here the use wcscpy and wcscat,overflow......................

Because it is to explain RPC vulnerabilities of General-purpose analysis method, is no longer on the ms08067 vulnerability into an in-depth analysis. Think of it for a specific analysis, you can use HexRays will sub_5FDDA180 and sub_5FDDA26B at reverse into C code, and looked not easy to get confused.

Five. Summary The RPC related vulnerability, due to the introduction of less, so for beginners no start, on this area of interest, you can add Friddy the QQ568623 contact, you can also send an email to: qianyang@ssyeah.com together to explore related issues and comments.

Finally, in 2 0 0 9 New Year, I wish you all a 0day!

doc format document download: click Download this file